[Pkg-shadow-devel] [PATCH 00/11] pkg-shadow support subordinate ids with user namespaces
Serge Hallyn
serge.hallyn at ubuntu.com
Mon Feb 25 14:34:51 UTC 2013
Quoting Glauber Costa (glommer at parallels.com):
> On 02/22/2013 08:34 PM, Eric W. Biederman wrote:
> > Glauber Costa <glommer at parallels.com> writes:
> >
> >> On 01/22/2013 01:11 PM, Eric W. Biederman wrote:
> >>>
> >>> The kernel support for user namespaces allows ordinary users to use
> >>> multiple uids and gids if they can get a trusted program to tell the
> >>> kernel the set of subordinate uids and gids they are allowed to use.
> >>>
> >>> This is my work to make that trusted program.
> >>> Two new files are added /etc/subuid /etc/subgid that specify
> >>> ranges of uids and gids that users may uses.
> >>>
> >>> useradd, and newusers are modifed to add users to those files.
> >>>
> >>> userdel is modeifed to remove users from those files.
> >>>
> >>> usermod is modified to give manual control of what goes in those files.
> >>>
> >>> newuidmap and newgidmap read the new files and update
> >>> /proc/[pid]/uid_map and /proc/[pid]/gid_map respectively
> >>> as requested by their command line parameters and as allowed
> >>> by the /etc/subuid and /etc/subgid.
> >>>
> >>> The following patches are against the current developent trunk
> >>> of pkg-shadow svn rev 3745. With minor tweaking of man/Makefile.am
> >>> these patches also apply to shadow 4.1.5.
> >>>
> >>> Eric W. Biederman (11):
> >>> Documentation for /etc/subuid and /etc/subgid
> >>> login.defs.5: Document the new variables in login.defs
> >>> Implement commonio_append.
> >>> Add backend support for suboridnate uids and gids
> >>> Implement find_new_sub_uids find_new_sub_gids
> >>> userdel: Add support for removing subordinate user and group ids.
> >>> useradd: Add support for subordinate user identifiers
> >>> Add support for detecting busy subordinate user ids
> >>> usermod: Add support for subordinate uids and gids.
> >>> newusers: Add support for assiging subordinate uids and gids.
> >>> newuidmap,newgidmap: New suid helpers for using subordinate uids and gids
> >>
> >> Hi,
> >>
> >> Is there any intention to merge this (or any later version thereof) ?
> >> I intend to start excluding uid ranges for containers usage in OpenVZ,
> >> and support for that in tooling would come in handy.
> >
> > I don't know what the state of the main pkg-shadow package is. I have
> > heard anything and the repository seems to have been dormant since the
> > last release almost a year ago.
> >
> > However the last I heard Serge was working on getting these changes into
> > Ubuntu.
> >
> > So the intention is to get this code merged but I don't know what more
> > needs to be done at this point.
> >
> I understand, this was more a question for the package maintainers.
> It would be interesting for us to have those changes more widely
> available than just @Ubuntu
Well, I would aim to get it into Debian, from where it should make it
into all its downstreams eventually... But I know that's not what you
mean :)
Note that the core of this really isn't a big deal, and you can easily
implement your own distro-independent wrappers. Just provide an easy
tool for admins to assign subuids to users, and a small setuid-root
binary to allow users, subject to those constraints, to write to
/proc/$$/uid_maps.
Shadow integration will be nice, but for your use case you should be
able to by-step it until shadow integration is complete.
-serge
More information about the Pkg-shadow-devel
mailing list